Total Proposal Security

The National Science Foundation uses a computerized proposal-and-report submission system called FastLane. When I first submitted a proposal, this required three things to log in: your last name, your Social Security number, and a password of your choice.

Sometime in the last year, they stopped using the SSN, and switched to a randomly generated nine-digit ID number. Which they sent me in a massage that somehow manages not to include the strings "NSF," "FastLane," or "National Science Foundation." "ID" by itself returns too many results in GMail to be useful.

On the bright side, at least I can be confident that nobody else is going to log in and submit the final project report that's due...

More like this

There should be a link somewhere on the FastLane home page that will let you request the secret number. At least there was three months ago when I had to submit an interim report on my NSF grant. They sent me the secret number in a message with the subject "Requested NSF ID". I looked for the message in which they originally sent me the number, but I couldn't find it.

By Eric Lund (not verified) on 29 Jun 2009 #permalink

Dear Professor Orzel,

We have not received your expected final project report. We have, however, received a new grant proposal requesting funds for the following items:

Cheese
Bunnies
Bacon
Chew Toys

We are unclear on how these items are relevant to the research funded under your current grant. One reviewer has recommended that you investigate whether someone else with access to your computer and/or residence may have intercepted a recent NSF e-mail with your new password, and used this to file a fraudulent proposal under your name.

Best wishes,

NSF

By Emory Kimbrough (not verified) on 29 Jun 2009 #permalink

There should be a link somewhere on the FastLane home page that will let you request the secret number.

I couldn't find a link, but they did have a phone support number, and after ten minutes on hold, I got it taken care of.

I still don't know what they did with the original message that GMail couldn't find it. Google's usually pretty good at that sort of thing, you know?

They sent you a massage?! How does that work? Does the NSF have a side deal with craigslist?

Sorry, couldn't resist.

Mike.

By NoAstronomer (not verified) on 29 Jun 2009 #permalink

Chad, I just checked my email client, and my version of the NSF message (January 2008) actually had the subject line "Requested NSF ID". Who knows the mysteries of gmail....

And yet FastLane is the crown jewel of federal online grants management. You could have to use grants.gov.

That sounds like "security theater" (as Bruce Schneier calls it). Sending the id afterwards using non-secure email is stupid. You should generate it in real time, during an encrypted session.

By Lassi Hippeläinen (not verified) on 29 Jun 2009 #permalink